Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dmitry_Barantse
Participant
Participant

HTTPS inspection bypass R80.10

Hi team.

I'm trying to add https inspection bypass rules with custom site category with full URL or regex in this category. 

But it doesn't work and Check Point inspects this traffic.

Any ideas how to make it work?

17 Replies
Danny
Champion Champion
Champion

A bit more information would be helpful (Version you are using, the url you want to bypass, your regex etc.).

Usually, when URL and regex definitions don't work to bypass HTTPS websites, you'll be required to bypass the IP address of the website.

Follow these steps:

  1. Create network objects to represent ranges on IP addresses used by your clients.
  2. Configure the above network objects in the HTTPS Inspection Bypass rule.
  3. Install the policy.

Related SKs: sk108762, sk122158, sk114160, sk114419, sk113935,sk132913

0 Kudos
Dmitry_Barantse
Participant
Participant

Hi Danny.

Thank's but I know about bypass by destination IP.

This method is too time-consuming because web sites has multiple IP addresses. So I need to bypass inspection with wildcard in URL, for example *.site.com

0 Kudos
Danny
Champion Champion
Champion

Which website would you like to bypass?

0 Kudos
Dmitry_Barantse
Participant
Participant

For example vtb.ru with all subdomains

0 Kudos
Danny
Champion Champion
Champion

vtb.ru owns just a single /24 network: 193.164.146.0/24

So if you create a network object to reflect vtb.ru's network and bypass it within your HTTPS Inspection policy you should be all good.

0 Kudos
Dmitry_Barantse
Participant
Participant

Thank you

0 Kudos
Danny
Champion Champion
Champion

The 'Thank you' badge can be found right below the Actions link.

ED
Advisor

Hi @Danny 

How did you find out that vtb.ru owns that single /24 network? 

0 Kudos
Darran_Lebas
Participant

I have the same problem where the sites are inspected even though I have a custom bypass application with a list of URLs using regex. The URLs still get inspected and break my connection.

My requirement is to bypass the following.

*.oms.opinsights.azure.com
*.blob.core.windows.net
*.azure-automation.net
*.ods.opinsights.azure.com
winatp-gw-cus.microsoft.com
winatp-gw-eus.microsoft.com
winatp-gw-neu.microsoft.com
crl.microsoft.com
ctldl.windowsupdate.com
events.data.microsoft.com
uk.vortex-win.data.microsoft.com
uk-v20.events.data.microsoft.com
winatp-gw-uks.microsoft.com
winatp-gw-ukw.microsoft.com

What are my options as currently, I can't give my organisation a working solution?

0 Kudos
Darran_Lebas
Participant

Does anyone have any ideas on how to resolve the above issues?

0 Kudos
Alessandro_Marr
Advisor

Enable module probe bypass (sk104717)

 

Run: fw ctl set int bypass_on_enhanced_ssl_inspection 1 In $FWDIR/modules/fwkern.conf, add this line: bypass_on_enhanced_ssl_inspection=1

0 Kudos
Darran_Lebas
Participant

Hi Alessandro,

Was this in response to my issue? If it was, I've been there and felt the pain of enabling probe bypass.

I'm still waiting for CP to supply me with the SNI fix to supplement enabling probe bypass but this hasn't happened as yet.

0 Kudos
Alessandro_Marr
Advisor

yes, was....

what is your take on r80.10 ?

 

0 Kudos
Darran_Lebas
Participant

It's ever-changing. Currently 169.

No, the list above is from Microsoft. I'd created an application using the proper Regex format.

 

0 Kudos
Alessandro_Marr
Advisor

I have two clusters with r80.10 take 142, probe bypass on and my regex like this (^|.*\.)*microsoft\.com

 

working fine...

0 Kudos
Alessandro_Marr
Advisor

Hi Darran, your regex are like you wrote above?
0 Kudos
Alessandro_Marr
Advisor

enable module of probe bypass

Run: fw ctl set int bypass_on_enhanced_ssl_inspection 1
In $FWDIR/modules/fwkern.conf, add this line: bypass_on_enhanced_ssl_inspection=1
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events